[CentOS] CentOS Security Advisories OVAL feed??

Wed Aug 5 14:49:30 UTC 2020
Johnny Hughes <johnny at centos.org>

On 8/5/20 1:05 AM, centos at niob.at wrote:
> On 04/08/2020 23:50, Jon Pruente wrote:
>> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote:
>>> Q5) If the answer to the last question is "no": shouldn't there be such
>>> a resource?
>> CentOS doesn't publish security errata. If you need it then you should
>> either buy RHEL, or deal with putting together your own set up with
>> something like http://cefs.steve-meier.de/
> I expected just this answer, and we do have a RHEL subscription (and
> BTW: thanks for the link). But you missed the main point by omitting the
> other questions (especially Q1, Q2 and Q3): There are upstream package
> versions that were never rebuilt for CentOS.
> For instance: If, for whatever reason, I am required to stay with nginx
> 1.14.1 then the missing rebuild of the packages mentioned in
> RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would
> leave me with a vulnerable system.
> The question for an OVAL feed is actually an add-on question: In the
> same spirit that is the base for the CentOS project itself: wouldn't
> such a feed be a good thing to have? Otherwise your answer could be the
> catch-all answer to all questions CentOS: Go get a commercial
> subscription. Personally, I think such an answer is not very helpful.
> So what do you think about the underlying issue? Under what
> argumentation does it NOT constitute to be an issue?

Modules suck .. :)

But that is built and in the repo ..

dnf list 'nginx*'

1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream
1:1.14.1-9.module_el8.0.0+184+e34fea82                  AppStream

As I have said before .. mbbox (the item used to build modules) adds an
index code (the 184) and a part of the git commit (e34fea82) .. so this
will always be different between RHEL and CentOS .. because we use
different builders and a different git repo.  Red Hat's RHEL index code
is 4108 and the git commit is af250afe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20200805/b43a908f/attachment-0004.sig>